On Thu, Jul 30, 2009 at 11:16 AM, Manoj Srivastava<sriva...@debian.org> wrote: > Hi, > > I would like to set up a selinux related release goal for > Squeeze. > > Developer assiociated: Manoj Srivastava (Perhaps also Russell Coker, > but I have not discussed this with him) > Issues to be solved: > (a) Get all Debian patches to the reference security policy merged in > upstream. Status: In progress, we have all patches submitted, > some need to be tweaked and resubmitted based on feedback > Time line: 1-2 months, depending on free tie I have > (b) Update reference security policy to allow standard machines to be > in enforcing mode. > Status: It is possible to run minimal virtual machines in > enforcing mode, but real machines are somewhat crippled; these > denials need to be inspected, and determination needs to be made > for how to resolve them (no not want security holes enshrined in > policy) > Time line: 6-8 months (can be done in tandem with a, if here were > more people working on it) > (c) Make it easier to run in struct (no unconfined.pp module) > mode. This needs firstly documentation, and secondly, additional > tweaks to policy to make it work. Russell has a play machine > where it all works, but those changes are not in the reference > policy -- and some of them might not be fit to be in ref policy > at all. > Time line: 9-12 months > > The actual non-policy packages are now well in sync with > upstream, so the weak point is the security policy. > > Ideally, the goal would be to have Squeeze certifiable at EAL-4, > at least the "standard" install (no optional packages), if someone with > deep pockets were willing to actually pay for the certification, and be > willing to push through the process.
Which parts of the work you described above would be needed to Squeeze be certifiable at EAL-4? All of them? Based on your timeline, it seems A is on track to make Squeeze, we should get more people to work with you on B (setting as a goal) and C would be a no go for this release, jmo. Am I wrong? regards, -- Gustavo "stratus" Franco -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
